Knox Admin UI Quicklink Requirements for Unsecured Clusters

If you are in an unsecured cluster and navigate to the Knox Admin UI via quicklink,
and the UI loads but no topologies are visible, some configurations must be adjusted for
your deployment.

Context

The Knox Admin UI is hosted in a topology called manager.xml; this topology is not
manageable by Ambari. It is manageable by Knox Admin UI, but there is an access
issue before changing your configurations. Rather than adding another topology to
the fixed set managed by Ambari, a number of enhancements have been made to have
reasonable defaults and centralized configuration for admin capabilities within
gateway-site.xml.

Defaults/Central Config

KnoxSSO is set up out-of-the-box to still use the DEMO LDAP server for Knox. It needs
to be configured for enterprise AD/LDAP or another SSO mechanism as appropriate for
the deployment.

Authorization checks within the manager.xml and
admin.xml topologies now default to
gateway-site.xml properties called
gateway.knox.admin.users and
gateway.knox.admin.groups. These are comma-separated lists of
users and groups that should have access to the admin capabilities in
manager.xml and admin.xml topologies.

In order for the groups capability to work out of the box, it is assumed that local
OS accounts with groups are available on the Knox machine. This is very often the
case for secure clusters but not necessarily for unsecured clusters. In unsecured
clusters, it is possible that LDAP configuration will need to be added to
gateway-site.xml. This is done via the Hadoop Group Provider
values with a specific prefix for this use: gateway.group.config.
All of the config that begins with that prefix will be found and used to configure
the group lookup mechanism for the deployment. See the following for more details on
Hadoop Group Provider: “Hadoop Group Lookup Identity Assertion Provider”. Since
the admin topologies have already been seeded with the prefix to look for, the
configuration only needs to be added to the gateway-site.xml and
the server restarted.

The manager.xml and admin.xml topologies have been
defaulted to be considered auto-deploy topologies since they now depend on
gateway-site.xml config and need to be redeployed to uptake
that config. They should automatically do so on gateway restart but if for some
reason they don't they can be redeployed manually by touching the files or using the
Knox CLI to redeploy them from the Knox machine/s.